Professional Documents
Culture Documents
2FA Security Issues
2FA Security Issues
SECURITY
ISSUES
Static passwords have had
their heyday — a different
approach is needed when it
comes to improving user
security
WWW.DEVSECOPSGUIDES.COM
2FA Security Issue
What is 2FA
Vulnerabilities in 2FA
1
What is 2FA
2
What are the types of 2FA?
SMS 2FA
U2F Tokens
3
What are the types of 2FA?
TOTP 2FA
Push-Based 2FA
5
What are the types of 2FA?
WebAuthn
Created by the FIDO (Fast IDentity Online) Alliance and W3C, the
Web Authentication API is a specification that enables strong,
public key cryptography registration and authentication.
WebAuthn (Web Authentication API) allows third parties like Duo
to tap into built-in biometric authenticators on laptops and
smartphones, letting users authenticate quickly and with the tools
they already have at their fingertips.
6
What Threats Does 2FA Address?
Stolen Passwords
Phishing Attempts
Social Engineering
Brute-Force Attacks
Broken Logic
Key Logging
7
Two-factor authentication tokens
8
SIM Swapping Attack
9
Brute-forcing 2FA verification codes
https://github.com/PortSwigger/turbo-intruder
https://portswigger.net/burp/documentation/desktop/options/sessi
ons#macros
10
2FA broken logic
11
Risks that 2FA aim to Mitigate
12
Better alternatives to 2FA SMS
While it’s best to skip 2FA if SMS is the only option, this doesn’t
solve the reason for adding 2FA in the first place. To prevent brute
force and other attacks targeting password-only authentication,
some form of 2FA is needed.
Hardware authentication
Software authentication
IP-based authentication
This method checks the user’s IP address when logging in. You can
block access to specific IP addresses suspected to be malicious, or
simply only allow logins from known IP addresses and ranges. IP-
based authentication can be used in conjunction with other forms
to add another layer of protection.
13
Resources
https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html
https://duo.com/product/multi-factor-authentication-mfa/two-
factor-authentication-2fa
https://portswigger.net/web-security/authentication
https://www.sathwikat.me/describe-the-risks-that-two-factor-
authentication-mechanisms-aim-to-mitigate/
https://devsecopsguides.com
14